Analysis
-
max time kernel
4294183s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
21/03/2022, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
-
Size
7.7MB
-
MD5
7bf3a72a5287c6388cda810822c894a3
-
SHA1
4c23e414457d18ceee367a19afbe0c51588c3df0
-
SHA256
7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
-
SHA512
014fa7d7ead618cdbead06ec8658b7c41baba40d1954358065b28f0eab824028a4b34263d187ed332a0e40b5e6bba64b027bf6cfadf638b0924ae96aba00d9c9
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2004 Win32WebViewHost.exe -
Loads dropped DLL 1 IoCs
pid Process 1876 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe 2004 Win32WebViewHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2004 Win32WebViewHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2004 1876 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 27 PID 1876 wrote to memory of 2004 1876 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 27 PID 1876 wrote to memory of 2004 1876 SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe 27 PID 2004 wrote to memory of 1600 2004 Win32WebViewHost.exe 29 PID 2004 wrote to memory of 1600 2004 Win32WebViewHost.exe 29 PID 2004 wrote to memory of 1600 2004 Win32WebViewHost.exe 29 PID 2004 wrote to memory of 1664 2004 Win32WebViewHost.exe 30 PID 2004 wrote to memory of 1664 2004 Win32WebViewHost.exe 30 PID 2004 wrote to memory of 1664 2004 Win32WebViewHost.exe 30 PID 1664 wrote to memory of 608 1664 cmd.exe 33 PID 1664 wrote to memory of 608 1664 cmd.exe 33 PID 1664 wrote to memory of 608 1664 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\cmd.exe"cmd.exe" /C erase %temp% /f /s /q3⤵PID:1600
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "Win32WebViewHost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 14⤵PID:608
-
-
-